#RSAC: The Five Most Dangerous New Attacks According to SANS

At the RSA Conference in San Francisco on April 18 2018, three leading instructors and contributors from the SANS institute shared what they believe to be the five most dangerous new attack techniques in cybersecurity.

Repositories and Cloud Storage Data Leakage

Ed Skoudis named repositories and cloud storage data leakage as one of the techniques. “Software today is built in a very different way than it was 10 or even 5 years ago, with vast online code repositories for collaboration and cloud data storage hosting mission-critical applications,” he explained. “However, attackers are increasingly targeting such infrastructures, looking for passwords, crypto keys, access tokens, and terabytes of sensitive data in such repositories and cloud storage.” As a result, defenders need to focus on data inventories, appointing a data curator for their organization and educating system architects and developers about how to secure data assets in the cloud.

Big Data Analytics, De-Anonymization, and Correlation

“The battle is shifting from hacking machines to hacking data - gathering data from disparate sources and fusing it together to de-anonymize users, find business weaknesses and opportunities, or otherwise undermine an organization's mission,” explained Skoudis. Defenders need to start analyzing risks associated with how their seemingly innocuous data can be combined with data from other sources to introduce business risk, he said, “all while carefully considering the privacy implications of their data and its potential to tarnish a brand or invite regulatory scrutiny.”

Exploitability in ICS/SCADA: Intent & Method

James Lyne explained how the grand majority of malicious code has undeniably been focused on fraud and profit. “Yet, with the relentless deployment of technology in our society, the opportunity for political or even military influence only grows greater,” he said. “Rare, publicly visible attacks like Triton/TriSYS show capability and intent to compromise some of the highest risk components of industrial environments.” This translates to an increase in the number of active campaigns, or more adversaries developing backup disruption capabilities. “Many systems in this domain lack the mitigations of modern operating systems and applications. Attackers have demonstrated they have the inclination and resource to diversify their attacks, such as to the aforementioned SIS, which opens up new and concerning possibilities.”

Attackers Monetize Compromised Systems Using Crypto-Miners

Johannes Ullrich talked about how attackers “no longer bother with data. Last year, we discussed how ransomware was used to sell data back to its owner. Crypto-currencies were the tool of choice to pay for ransom.” Due to the flood of stolen data offered for sale, he continued, “most commonly stolen data like credit card numbers of PII has dropped significantly in value. Attackers will instead install crypto coin miners.” These attacks are stealthier and less likely to be discovered.

Hardware Flaws

Software developers often assume that hardware is flawless, said Ullrich, which he described as a dangerous assumption. “Hardware is no less complex than software and mistakes have been made just as they are made in software. Patching hardware is a lot more difficult and often not possible without replacing entire systems or suffering significant performance penalties.” Developers need to learn to create software without relying on hardware, he continued. “Software need to authenticated and encrypt data within the system. Some emerging homomorphic encryption algorithms may allow developers to operate on encrypted data without having to decrypt it first.”